Simplified quantum bit commitment using single photon nonlocality 
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We simplified our previously proposed quantum bit commitment (QBC) protocol based on the 
Mach-Zehnder interferometer, by replacing symmetric beam splitters with asymmetric ones. The 
protocol is immune to the cheating strategy in the Mayers-Lo-Chau no-go theorem of unconditionally 
secure QBC, because the density matrices of the committed states do not satisfy a crucial condition 
on which the no-go theorem holds. 
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I. INTRODUCTION 



II. NOTATIONS AND SETTINGS 
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Quantum bit commitment (QBC) is a two-party cryp- 
tography including two phases. In the commit phase, 
Alice (the sender of the commitment) decides the value 
of the bit b (b — or 1) which she wants to commit, 
and sends Bob (the receiver of the commitment) a piece 
of evidence, e.g., some quantum states. Later, in the 
unveil phase, Alice announces the value of 6, and Bob 
checks it with the evidence. An unconditionally secure 
QBC protocol needs to be both binding (i.e., Alice can- 
not change the value of b after the commit phase) and 
concealing (Bob cannot know b before the unveil phase) 
without relying on any computational assumption. 

QBC is recognized as an essential primitive for quan- 
tum cryptography, as it is the building block for quantum 
multi-party secure computations and more complicated 
"post-cold-war era" multi-party cryptographic protocols 
[3, [|| . Unfortunately, it is widely accepted that uncondi- 
tionally secure QBC is impossible [3|-|26|], despite of some 
attempts towards secure ones (a detailed list can be found 
in the introduction of [13]). This result, known as the 
Mayers-Lo-Chau (MLC) no-go theorem, was considered 
as putting a serious drawback on quantum cryptography. 

Very recently, we proposed a QBC protocol using 
orthogonal states [13, [28|, where the density matrices 
do not satisfy a crucial condition on which the MLC 
no-go theorem holds. Thus unconditional security be- 
comes achievable. This QBC protocol is based on a 
quantum key distribution (QKD) scheme proposed by 
Goldenberg and Vaidman [29|, which makes use of the 
Mach-Zehnder interferometer involving symmetric beam 
splitters. Koashi and Imoto pointed out [3(| that the 
Goldenberg- Vaidman (GV) scheme can be simplified by 
replacing the symmetric beam splitters with asymmetric 
ones. Here we will apply the same idea to simplified our 
QBC protocol. 
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Generally, in both QKD and QBC the two par ticipants 
are called Alice and Bob. But similar to (27[, in our 
current QBC protocol, the behaviour of Bob is more like 
that of the eavesdropper rather than the Bob in QKD. To 
avoid confusion, here we use the names in the following 
way. In QKD, the sender of the secret information is 
called Alice, the receiver is renamed as Charlie instead 
of Bob, and the external eavesdropper is called Eve. In 
QBC, the sender of the commitment is Alice, the receiver 
is Bob, and there is no Eve since QBC merely deals with 
the cheating from internal dishonest participants, instead 
of external eavesdropping. 

As our main interest is focused on the theoretical pos- 
sibility of unconditionally secure QBC, we will only con- 
sider the ideal case where no transmission error occurs 
in the communication channels, nor there are detection 
loss or dark counts, etc. 



III. THE KOASHI-IMOTO QKD SCHEME 

Our QBC proposal is inspired by the Koashi-Imoto 
(KI) QKD scheme [30(, which makes use of the Mach- 
Zehnder interferometer illustrated in FIG. 1. Let R and 
T denote the reflectivity and transmissivity of the asym- 
metric beam splitters BS\ and BS2, with R + T = 1 and 
R^T. Alice encodes the bit values and 1 she wants to 
transmit to Charlie, respectively, using two orthogonal 
states 

-> \9 ) = Vr\o) x \i) Y -iVR\i) x \o) Y , 

1 -> \^ 1 )=VT\l) x \0) Y -iy/R\0) x \l) Y . (1) 

Here |n) • is the n photon Fock state for the arm j = X, Y. 
That is, each |^ ) or l^i) is split into two localized wave 
packets, and sent to Charlie separately in quantum chan- 
nels X and Y respectively, thus single photon nonlocality 
is presented. This is done by sending a single photon ei- 
ther from the source So (sending l^o)) or Si (sending 
l^i)), then splitting it with the beam splitter BSi made 
of a half-silvered mirror (note that polarizing beam split- 
ters are not recommended due to the security problem 
addressed at the end of Sec. 6 of [27j). 




FIG. 1: Diagram of the experimental implementation of the Koashi-Imoto QKD scheme [3(J. The state of a photon produced 
by the source So (Si) will become |* ) = VT\0) x \1) y - iVR\l) x \0) Y = VT|1} X \0} y - iVR\0) x \1) Y ) after passing 

the asymmetric beam splitter BSi . The two wave packets of the same photon are sent through channels X and Y respectively. 
When no eavesdropper is present, the storage rings SRi, SR2, the mirrors Mi, M2 and the phase shifter n will ensure the 
complete apparatus work as a Mach-Zehnder interferometer, so that |*]/o} d^i}) will be detected by the detector Do (Di) with 
certainty. 



To ensure the security of the transmission, the wave 
packet in channel Y is delayed by the storage ring SR\, 
which introduces a sufficiently long delay time r so that 
this wave packet will not leave Alice's site until the 
other wave packet in channel X already entered Charlie's 
site. Thus the two wave packets of the same photon are 
never present together in the transmission channels. This 
makes it impossible for Eve to prepare and send Charlie 
a perfect clone on time if she waits to intercept and mea- 
sure both wave packets, even though |*I>o) and are 
orthogonal. On the other hand, when no eavesdropping 
occurs, Charlie can distinguish |*I>o) and |*]/i) unambigu- 
ously by adding a storage ring SR2 to channel X whose 
delay time is also r, while introducing a phase shift n to 
channel Y. The two wave packets of the same photon will 
then recombine and interfere on the beam splitter BS2, 
which is identical to BS\. Thus the complete apparatus 
of Alice and Charlie forms a Mach-Zehnder interferome- 
ter, so that 1*1/0) (l^i)) wm always make the detector Dq 
(Di) click with certainty, allowing Charlie to decode the 
transmitted bit correctly. Any mismatch result between 
Alice's transmitted state and Charlie's measurement will 
immediately reveals the presence of Eve [3(| • 



Comparing with the GV QKD protocol [29], the key 
difference is that BS\ and BS2 in the KI scheme are 
asymmetric beam splitters, while the GV scheme uses 
symmetric ones. The advantage of this modification is 
that the sending time of each photon can be fixed and 
publicly known beforehand, while in the GV scheme it 
has to be random and kept secret from Eve until the 
security check. 



IV. OUR QBC PROTOCOL 

As illustrated in FIG. 2, to build a QBC protocol upon 
the above KI QKD scheme, we treat Charlie's site as a 
part of Alice's, so that the two parties merge into one. 
That is, Alice sends out a bit-string encoded with the 
above orthogonal states, whose value is related with the 
bit she wants to commit. Then she receives the states 
herself. Meanwhile, let Bob take the role of Eve. His 
action shifts between two modes. In the bypass mode, he 
simply does nothing so that the corresponding parts of 
the states return to Alice intact. In the intercept mode, 
he applies the intercept-resend attack. That is, he inter- 
cepts the state and decode the corresponding bit (which 
can be done by using the same device as that of Char- 
lie's), while prepares a fake state and resends it to Alice 
on time. Let s denote the lower bound of the average 
probability for his resent state to be caught in Alice's 
check. Since the KI QKD scheme was shown to be un- 
conditionally secure [3Cj , it is clear that e cannot always 
equal exactly to zero for both |*T/o) and |*5i), regardless 
the strategy according to which Bob prepares the resent 
state. Therefore, Alice can estimate the frequency of the 
presence of the intercept mode, to limit Bob from inter- 
cepting the whole string, so that the value of the commit- 
ted bit can be made concealing. Meanwhile, since e < 1, 
at the end of the commit phase there will be some bits 
of the string become known to Bob, while Alice does not 
know the exact position of all these bits. Thus she cannot 
alter the string freely at a later time, making the protocol 
binding. The complete QBC protocol is described below. 

The commit protocol: 

(1) Bob chooses a binary linear (n, k, d)-code C [13] 
and announces it to Alice, where n, k, d are agreed on 



Bob 




FIG. 2: Diagram for the apparatus of the QBC protocol when Bob chooses the intercept mode. He measures Alice's photon 
using the same device as that of Alice, while sending another photon to Alice according to a certain strategy (corresponding to 
the device illustrated as the black box in the diagram) so that Alice's probability of finding his interception can be minimized. 



by both Alice and Bob. 

(2) Alice chooses a nonzero random n-bit string r = 
(rir 2 ...r„) £ {0,1}" and announces it to Bob. This 
makes any n-bit codeword c = (c\Ci---Cn) in C sorted 
into either of the two subsets C(o) = {c £ C\c Q r = 0} 

n 

and = {c £ C\c r = 1}. Here c0r=0CjArj. 

i=l 

(3) Now Alice decides the value of the bit b that she 
wants to commit. Then she chooses a codeword c from 
(7(6) randomly. 

(4) Alice encodes each bit of this specific c as Cj —> \^ Ci ) 
where |\T/ Ci ) is defined by equation ([1]), and sends Bob the 
two wave packets of the same state separately in channels 
X and Y, with the storage ring SRi on channel Y which 
introduces a delay time r known to Bob. 

(5) For each of Alice' states, Bob chooses the inter- 
cept mode with probability a and the bypass mode with 
probability 1 — a. 

If Bob chooses to apply the bypass mode, he simply 
keeps channels X and Y intact so that the state sent 
from Alice will be returned to her detectors as-is. 

Else if Bob chooses to apply the intercept mode, he 
uses the same measurement device as that of Alice's, to 
measure the state so he can decode the corresponding 
Cj with certainty. Meanwhile, he prepares another state 
and sends it back to channels X and Y at the right time, 
so that the time it reaches Alice's detectors will look the 
same when Bob applies the bypass mode. There could be 
many different strategics how Bob sends this state (thus 
we left this part of Bob's device as a black box in FIG. 2). 
For example, he can use the same device that Alice uses 
for sending her state. Or he can simply send all wave 
packets of his state simultaneously in one of the channels 
alone, e.g., in channel X beforehand or in channel Y 



after his detectors already received Alice's state. But 
due to the existence of the storage rings in both Alice's 
sending and measuring devices, if Bob waits until Alice's 
state enters his site completely, and he measures it then 
resends the same state to Alice, his resent state will reach 
Alice's detectors later than it is expected. Therefore, the 
unconditional security of the KI QKD scheme guarantees 
that in this mode, once Bob gains non-trivial information 
on Cj, his resent state will only have a probability 1— e < 1 
to make the right detector of Alice click at the right time. 

(6) Alice uses the same device that Charlie used in the 
KI QKD scheme, to measure the output of the quan- 
tum channels from Bob. She counts how many times her 
measurement results do not match the states she sent, 
and denotes it as n'. From step (5) it can be seen that 
ml ~ ean. Thus Alice can estimate the probability of 
Bob choosing the intercept mode as a ~ n' /(en). Al- 
ice agrees to continue with the protocol if a < 1 — d/n, 
which means that the number of Cf's known to Bob is 
an < n — d. Otherwise she concludes that Bob is cheat- 
ing. 

The unveil protocol: 

(7) Alice announces the values of b and c — (ciC2-..c n ). 

(8) Bob accepts the commitment if c r = b and c is 
indeed a codeword from C, and every Cj agrees with the 
state \^ Ci ) he detected in the intercept mode. 

V. SECURITY 

Intuitively, the protocol is secure against Alice's cheat- 
ing, because the binary linear (n, k, d)-code (7 guarantees 
that if Alice wants to change the value of the committed 
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6, she needs to change at least d bits of the codeword c. 
But she does not know with certainty on which bits Bob 
has applied the bypass mode. Therefore her probability 
of altering > d bits without being detected will drop ex- 
ponentially as d increases. By fixing d/n and increasing n 
in the protocol, this probability can be made arbitrarily 
close to zero. 

More generally, as pinpointed out in Sec. 4 of [27| . 
the validity of Alice's cheating strategy in all the no-go 
proofs [3j-|26| of unconditionally secure QBC is based 
on the condition pff ~ pf, where Pq (pf) is the re- 
duced density matrix of the state sent to Bob during 
the commit phase when Alice commits 6 = (6=1). 
On the other hand, equation ([T]) shows that in our pro- 
tocol |\&o) and are orthogonal. Then the state 
\ip c ) = |* cl )®|* C2 )®...®|* Ci )(g)...(g)|* c J correspond- 
ing to a specific codeword c is orthogonal to the state 
corresponding to any other codeword. Thus it is clear 
that our protocol satisfies p^ _L p? instead of pQ — pf , 
just like the previous protocol in [231, so that they both 
evade the MLC no-go theorem for the same reason. 

The security against Bob is obvious. Step (6) guaran- 
tees that during the commit phase, Bob knows an < n—d 
bits of the string c only. As the (n, k, e?)-code C ensures 
that the number of codewords having an bits in common 
grows exponentially as k increases, knowing an bits of 
c is insufficient to determine whether c belongs to C( ) 
or Cm. Thus Bob does not know 6, and his knowledge 
on 6 can be made arbitrarily small by fixing k/n and 
increasing n. Note that though Alice knows that there 
are n — an bits of c remaining unknown to Bob before 
the unveil phase, she does not know the exact position of 
these bits so she cannot utilize them for cheating. 

Though the current QBC protocol and the one in [27T ] 
have similarities in many ways, the underlying origins of 
their security against Bob are somewhat different. While 
both protocols are immune to Bob's cheating because 
they are based on unconditionally secure QKD schemes, 
as pointed out in [3(| , the GV QKD scheme can actually 
be viewed as utilizing three orthogonal states - two pho- 
ton states and one vacuum state. Its security is provided 
by the random sending times of the photons. On the 
contrary, the KI QKD scheme does not require the vac- 
uum state. The security is guaranteed by the fact that 



the eavesdropper cannot fake the states with certainty 
owe to the use of the asymmetric beam splitters. Sim- 
ilarly, the security of the QBC protocol in [13] against 
Bob is based on Alice's random sending times before the 
last step of the commit phase, while in our current QBC 
proposal, it is because Bob cannot fake the states with 
certainty when he runs the intercept mode. Therefore 
our current protocol is more than merely a simplification 
on the presentation. 

VI. FEASIBILITY 

In the above we focused only on the theoretical pos- 
sibility of evading the MLC no-go theorem. But we can 
see from FIG. 2 that our protocol is also very feasible, as 
the re quir ed experimental technology is already available 
today [31J- Nevertheless, under practical settings, some 
more security checks should be added against technical 
attacks. Especially, the physical systems implementing 
the qubits may actually have other degrees of freedom, 
which leave rooms for Alice's cheating. For example, she 
may send photons with certain polarization or frequency, 
so that she can distinguish them from the photons Bob 
sends in the intercept mode. In this case, Bob and Al- 
ice should discuss at the beginning of the protocol, to 
limit these degrees of freedom to a single mode. In step 
(5) when Bob chooses the intercept mode, he should also 
measure occasionally these degrees of freedom of some of 
Alice's photons, instead of performing the measurement 
in the original step (5). Then if Alice wants to send 
distinguishable photons with a high probability so that 
they are sufficient for her cheating, she will inevitably be 
detected. 

Also, when Bob applies the bypass mode, he should 
add phase shifters to both channels X and Y to introduce 
the same phase shift in both channels so that an honest 
Alice will not be affected, while the amount of this phase 
shift is randomly chosen and kept secret from Alice, so 
that the counterfactual attack described in the appendix 
of [H} can be defeated. 
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